Free Trial
Contact Us
Podcast

Root Causes 98: DMARC and Verified Mark Certificates for Email

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
June 8, 2020

A new kind of identity certificate is coming that will enable businesses to include their logos in official email they send in order to improve customer confidence and protect against phishing. It is called a Verified Mark Certificate (VMC) and is built upon the DMARC standard, which controls which senders are allowed to send email using any given From address. In this episode our hosts explain VMCs and DMARC and how they will be used and then discuss where they fit in with S/MIME email certificates.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanSo, today, we are going to talk about a thing that is called a Verified Mark Certificate and this is a certificate that allows you to put your own branded logo into emails that you send out.
Jason SorokoJason SorokoYeah, that's interesting, isn't it? I haven't seen one of these yet.
Tim CallanTim CallanI have not seen one either. This is a new initiative. So, a little bit of background for the listeners so we all understand. All of this goes back to the basic problem of the spoof ability of from addresses in email. So, as we've discussed in this podcast in the past, email from addresses are self-reported the same way that your phone number is, which is why we see all the robocalls with the spoof numbers. We've talked about that in the past, too. Ditto for the email. Email addresses come in and it says from whatever, doesn't mean it's really from whatever. So, it says it's from your bank or from PayPal or from FedEx, it doesn't mean that it is and this is our part of the reason that phishing is effective is because lots and lots of people out there, lay people, even computer sophisticates don't always understand or always remember this in the moment. And so, part of the way that the industry is working to solve this is there is a standard capability that's called a DMARC and what DMARC does is makes it possible for the owner of the DNS, the owner of the URL to specify who can and cannot send email from this from address and then if there's a DMARC record there the vast majority of receiving mailboxes, including the Google stack, the Apple stack and the Microsoft stack and lots and lots of ISPs will all - and Yahoo - will all honor that. So, if I say this is the list of places, of services, that can send from my from address and someone else has a little robotic, uh, you know, phishing server somewhere in the world that is also trying to spoof that from address it won't be on the list of approved senders and therefore it won't be accepted. It will be quarantined and rejected at the other end by the receiver. And that's this fundamental capability DMARC that is in place to help domain owners get control of the email that's going out under their name. So, that's the first part of this and the DMARC has been around for a few years and we're seeing adoption go up.

So, as part of that effort, a group of industry people came together and it includes security people, it includes some DMARC experts and includes some receiving mailboxes like Google or senders like Google and they decided to create - - they created an organization called BIMI and what BIMI does is it's about putting together a standard for a certificate of Verified Mark Certificate of VMC. And so, the basic idea is that I'll be able to go and if I can prove that I am the domain owner then I can get this certificate that I attach to my emails that goes out and the certificate is, you know, a trusted cert just like there would always be and their certificate contains my logo and my logo has been authenticated. So, if I am let's say a bank, I submit my logo, that logo gets authenticated and then that Verified Mark Certificate gets attached and it has the logo in it and then when a VMC supporting mailbox receives that email it will actually display the logo like up by the from address, right, in the part that's not displayed inside of the body of the email where it could be anything, but like up by the from address, you'll actually see the logo of the sender. And the idea is for it to be an un-spoofable visual cue that an average email receiver can use to say, okay, I'm confident this is really an email from my bank and the idea is that by being able to put these logos on all of your official outbound communication that phishing targets will greatly reduce the effectiveness of phishing because they will train their customers, their partners, their ecosystems, whoever it is, their own employees, to look for that logo and that people when they don't see that logo will be less likely to act on the contents of that message.
Jason SorokoJason SorokoRight on, Tim.
Tim CallanTim CallanThat was kind of a long-winded explanation but that's what it does.
Jason SorokoJason SorokoYeah. Thanks Tim. That's good. So, are you seeing this as a competitive to S/MIME or other email identity solutions?
Tim CallanTim CallanYou know, it's interesting to ask how does it fit in with S/MIME, right. And in certain ways it's very, very different, right? S/MIME is not attempting to put on a logo. S/MIME is attempting to identify an individual, right? So, one person - - I'm the person who sent this and I am that person as opposed to a VMC which just really is saying, this is coming from that organization. Right? So, if I were an individual logging into the server of a company, you know, let's say Sectigo. Let's say we had a VMC. Then, if I sent you emails from my Sectigo account those would be supported and you would see that logo but I also could have my S/MIME cert there. And you would know that that was really for me and the email would be encrypted.

So, the other thing is that a VMC isn't doing anything with encryption, right? It's just really about communicating that logo. So, the two of them - - there's more that's different than is the same. There's a little bit of overlap in that they're both - - there's some level of focus on this idea of a spoofable from address but if you want to encrypt your emails, S/MIME is the only one that does that and if you want to put this logo in there, VMC is the only one that does that. Now, if you might want to imagine one day in the distant future could they be combined into a single cert? Maybe they could, but nobody is even talking about that right now.
Jason SorokoJason SorokoSure, Tim. The only thought I have around DMARC, I think conceptually it makes a heck of a lot of sense. I definitely don't have any problems with that at all. I think people should be using it especially in terms of just general emails. But what I'm thinking about DMARC is I wish we had some stats in front of us and maybe you do in terms of adoption. I know that adoption is rising but are there concerns that the adoption just isn't high enough to have a, you know, a general usage of it right now?
Tim CallanTim CallanYeah. I think - - I think let's separate out DMARC from VMCs for that discussion.

So, VMCs themselves you can imagine you want to have a certain amount of critical mass, right? So, that people are used to seeing these things in they're in their mailboxes and they understand what they are. The DMARC situation, I think, is a little different in that the amount of receiving mailboxes that are supporting is well over 90%. So, as a consequence of that, if I want to do DMARC, I have a high degree of confidence that most of the people who might be targeted by these from, these spoofed from addresses, are not going to be affected anymore. Right? And, so that gives me - - it gets around the double trigger problem that we are seeing so much in industry standards, which is like well, you need users and then you need supporters and there's no percentage in supporting it if there aren't people using it and there's no percentage in using it if the people aren't supporting it right. You run into this problem a lot. That problem is already solved for DMARC because, you know, you could get a handful of mailboxes - and I listed them earlier, you know, imagine you get Google, Yahoo, Microsoft, Apple. Those four to agree to do it and you're already at, you know, well in excess of 80% of the mailboxes that are out there.

So, that's basically what happened more or less and then from there it's straightforward to pick up the rest. And so, it's just a matter of kind of blocking and tackling to get that done. And so, the good news is that means that DMARC usage by domain owners, is just a function of how efficient we can make it for them to do so. Right. One of the challenges is that DNS is kinda hard, but there are companies and services that have sprung up to help people with that. And, so I do see that as inevitable, right? I think DMARC is going to be - - it's like certificates in the early days. A few specialists were using SSL certificates and lots and lots and lots of websites weren't. Now it's the opposite of that. If you're not using it, you are really kind of unusual. And so, I see DMARC going through that same process.

Now what's going to be interesting to see is do Verified Mark Certificates take off? Cause like you, Jay, I have not seen one in the wild yet and these are early days and it's early days for DMARC and it's extra special early days for VMCs, but this is the time now where you need to see that kind of adoption going.

I think if a few high-profile senders started to use it, if some major national banks and some major payment services and, you know, the usual targets, E-Trade and people like that started to use it, that would go a long way because a large number of consumers would now be seeing it in their mailbox and now it makes sense. I don't know what the plans are in that regard. I'm not privy to that level of insider information from those brands, but that's what I would be looking for.
Jason SorokoJason SorokoTim, is this supported in all the major browser clients, everything from say Gmail all the way up to Outlook and all that.
Tim CallanTim CallanYeah. I think that's another important point, Jay, which is the fundamentals of DMARC, right? The ability to control who is sending email using my from address absolutely is 100%. But the support for VMCs, obviously is a later thing. They have to change their interface. They have to support a new certificate type. There's a lot that has to be done there and my understanding is that a lot of those mailboxes do not yet have VMC support even though they have DMARC support. So, once again, if we can assume that that's on the roadmap and that's going to come and there may be some details that need to be worked out like logo size, logo specs, logo colors, image types, you can imagine the kinds of things that would have to be worked out with something visual like that. If you imagine that that’s gonna take a little more work, then that would explain why we don't have those things yet. So, again, I think it's going to be important to see do these VMCs start showing up? Do we start seeing support in the broad majority of mailboxes and do we start seeing usage let's say in the next year or so.
Jason SorokoJason SorokoThanks, Tim. So, comparing and contrasting a little bit to S/MIME, S/MIME has been around a very long time and is supported in most of the browsers - - what I should say, is most of the email clients and so that's a bit of a difference there. So, that's very interesting, Tim.
Tim CallanTim CallanYeah, and I think that's a really important point Jay, which is you can go use your S/MIME cert right now and you can be very confident that supports going to be there. This other thing, I mean, I can see the potential. I can see where it's really cool, at the same time, I wouldn't view it as a surrogate for S/MIME and, of course, S/MIME is available today.
Jason SorokoJason SorokoThat's I think one of the most important points to be made here, Tim. It’s not a surrogate. It is something else and serves a bit of a different purpose and I think underlying DMARC as a concept itself makes a lot of sense and if you're an enterprise out there that at the very least you don't want to have emails floating around that claim to come from your domain, check into it.
Tim CallanTim CallanYeah. I think that's a good point. Is you don't have to go all the way to a VMC to get the benefit, just doing DMARC by itself yields vast benefits for the enterprise and the rest of it maybe you can do later or you can see how it all shakes out or you can figure out what the best practices are and that can be a phased approach for sure.
Jason SorokoJason SorokoThat's great, Tim. Great information.
Tim CallanTim CallanGreat. So, thank you very much, Jay.
Jason SorokoJason SorokoThank you.
Tim CallanTim CallanThank you, Listeners. This has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud